You will have a minimum of one acquaintance who has received a phone call where they were persuaded to transfer funds for some 'urgent' reason or another. Friend in danger, bank accounts on hold, government ask, it could take any shape or form. It's easy to say it'll never happen to me, but the reality is quite different. Damages caused by fraudulent tactics that manipulate emotions run into trillions of dollars globally. These techniques are known as social engineering. Let's explore more about how your very humanity is leveraged to harm you.
What is social engineering?
Social engineering is the technique where unscrupulous actors manipulate, deceive, or influence an individual into divulging confidential information like personal or financial information. These include bank account information, passwords, transaction history, social security numbers, etc. These techniques can also manipulate individuals into performing specific actions that “help” the fraudster. For example, if someone tells you to download a particular app or software or share an OTP you received.
Social engineering, by itself, isn’t an attack. It is the art of using psychological tactics to build trust and then using that information to commit crimes like theft, money laundering, account takeovers, remote takeovers, etc.
The global impact of social engineering
Social engineering forms the bedrock of this world plagued by fraudulent activities. In an entire financial ecosystem involving banks, fintech players, payment processors and networks, technology providers, and the end-consumer, - “humans” seem to be the weakest link. This is supported by the simple fact that 98% of all cyber fraud involves some social engineering techniques.
Social engineering is not restricted to the financial sector, but that is where the largest share of the pie lies. Cyber attacks orchestrated using social engineering techniques have had large-scale consequences like:
- An Association of Certified Fraud Examiners (ACFE) report estimated that businesses lose up to 5% of their revenue to fraud every year!
- In India, a report by the central banking authority - the RBI, declared bank frauds were up nearly 300% in the last two years, and digital frauds were up by 708%
- A LexisNexis survey showed that across EMEA, digital channels account for 52% of overall fraud losses
Social engineering examples
- On an individual level - Cyber fraudsters scammed a retired IAS officer of Rs1.89 crore in the name of forex trading and kept him in digital arrest. Story here!
- On a corporate level - OCBC bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as “fighting a war.” Story here!
- On a national security level - Allegedly, a Russian hacking group targeted Ukraine with multiple spear phishing campaigns. Story here!
Social engineering targets an individual, but there is a ripple effect across the system. For instance, victims can be unknowingly turned into money mules, transferring illicit funds and enabling further criminal activities.
Apart from a financial hit, victims of social engineering fraud also suffer emotionally, considering they hold themselves responsible for allowing the attack to happen. Especially in lower-income households, even a single social engineering attack can ruin family dynamics.
Social engineering tactics leave victims with a sense of helplessness and shame, which ultimately also affects their future financial decisions. In the end, banks and financial institutions have to bear the brunt of financial damages and the loss of trust by a consumers. Read our op-ed on how money mule scams impact India's financial inclusion efforts.
In countries where consumer perception can make or break brands, a rise in fraudulent activity can lead to higher customer churn; for example, the same survey by LexisNexis also saw that 96% of companies surveyed in the Middle East noticed a significant impact on customer conversion after reported incidents of fraud.
This alone makes it imperative for banks and other financial players to implement a data-driven holistic approach to protecting their customers from fraud attempts. Bureau’s Money Mule Score identifies vulnerable bank accounts right at the time of onboarding so that FIs can adequately increase transaction monitoring with this Risk-Based Approach.
Explore how our Money Mule Score works here
6 Common Social Engineering Tactics
As mentioned above, social engineering is a method of manipulation. This can take the form of different kinds of attacks on individuals. The most common social engineering tactics deployed by fraudsters globally are:
1. Phishing
Phishing involves sending fraudulent emails to unsuspecting individuals. The emails are often designed well enough that they appear to come from legitimate sources. They deceive the victim into:
- Clicking on a link that will lead to fake websites designed to steal login credentials
- Click on malicious links that download malware into your computer
Both help the fraudster conduct account takeovers
Phishing also has specific sub-forms. If unknown links come via email - it's phishing. But if they come via text - it is Smishing (SMS-phishing). If you are told to share OTPs or other sensitive information via phone, it is Vishing (Voice-phishing).
Interestingly, in India, lower literacy and email usage leaves a considerable part of the population vulnerable to Vishing. Overall, in 2023, India saw 79 million phishing attacks!
2. Whaling
Whaling is a form of phishing that targets high-profile individuals such as executives, CEOs, or financial officers, often with the goal of gaining access to sensitive financial information.
Social engineering is often called an “art” because of such cases. The emails that find these highly placed individuals are often well-researched and crafted to perfection.
For example, the CEO of FirstDirect fell victim to fraud and shared his story here.
This also proves that literacy or even digital literacy is not a silver bullet to fraud protection.
3. CEO scam
If we flip the last example on its head, this type of attack involves impersonating high-profile leaders of a company and emailing employees to do tasks under their directives.
This works simply because receiving an email from a senior to someone relatively junior triggers the need to respond to authority positively.
We faced this potential fraud attempt last month when a WhatsApp text from an unknown number was sent to multiple employees from “Ranjan - the CEO and founder of Bureau” inciting engagement.
No, thankfully, as a leading company in fraud prevention, we could clearly see the signs of fraud.
4. Baiting
Baiting involves offering something enticing to lure victims into a trap where they inadvertently expose their personal information or compromise their system security.
How it works:
- Free Offers: Attackers might offer free software downloads, music, or movies embedded with malware.
- Physical Baiting: Leaving infected USB drives in public places like office lobbies, hoping someone will pick one up and plug it into their computer.
This is not just an example. In a social experiment by Idaho National Laboratory, a USB drive labeled "Confidential Financial Data" was dropped in various places in the office parking lot to see how many employees would plug it into their personal computers.
5. Quid Pro Quo
Quid pro quo attacks involve offering a service or benefit in exchange for information or access.
This can show up as:
- Service offers: Attackers might pose as IT support, offering to fix a problem in exchange for login credentials.
- Survey scams: Offering gift cards or prizes in return for completing surveys that ask for personal or financial information.
6. Pretexting
Pretexting involves creating a fabricated scenario to persuade the victim to divulge information or perform an action.
Attackers often pose as authority figures (e.g., police officers, bank officials) or trusted entities (e.g., colleagues, business partners). A form of pig butchering involves building trust over a certain period and then deceiving the victim. You must have heard of the delivery and investment scams and more. We did a series exploring various types of pig butchering scams on our Linkedin.
If you haven’t followed us yet, connect with us here.
Who are the most likely targets of social engineering?
(Unfortunately, everybody.)
The elderly
Older adults are less familiar with technology and cybersecurity practices. They often fall prey to frauds that involve inciting urgency, familial emergencies, government agent imposters, and investment scams.
Young adults and teenagers
Younger individuals have a stronger sense of cyber security but often fail to recognize sophisticated scams. They are quicker to accept fake job offers and lotteries and sometimes willingly give up sensitive data for commissions.
Low-income individuals
Financially vulnerable individuals are more likely to respond to offers that promise quick financial relief with minimal effort.
Non-tech savvy individuals
People not well-versed in technology may not recognize the signs of a scam, like improper grammar, missing indicators of a secure website, improper URL structures, etc.
Financially newly-included
- Individuals with recently opened bank accounts are not well-versed with financial security practices.
- New credit card users often forget to disable certain permissions, leaving them vulnerable to credit card skimming or unauthorized transactions.
- Individuals receiving government assistance are targeted in an attempt to hijack those benefits.
Related read: Money Mule Recruitment: A Story of Psychological Manipulation
Cognitive biases exploited in social engineering financial frauds
“The heightened emotional state makes it hard for the victim to think clearly or make rational decisions. To get their victims under the ether, fraudsters hit their fear, panic, and urgency buttons.” - Frank Abagnale.
Frank Abagnale, the infamous con artist turned consultant, leveraged his expertise in forgery and fraud to assist the FBI for over four decades, inspiring the film "Catch Me If You Can" and authoring "Scam Me If You Can." He says the general public and enterprises are equally vulnerable to social engineering scams.
Essentially, the focal point of any fraud is a “human” who is psychologically manipulated.
But how does it become so easy to manipulate? Clearly, fraudsters (Despite their ill-intentioned goals) are acutely adept at psychology. Research shows that every individual has specific behavioral patterns or “cognitive biases” that result in subjective perceptions of reality. This skewed perception of environmental inputs alters “reality” and hinders their sense of objectiveity.
Let’s put it a bit simply. You love chocolate. You happen to stumble upon an article that says, “Oh, chocolate is good for your heart.” You take it as confirmation of your preferences, and you advocate for “chocolate is good for health.” What you fail to see are the other signs that don't match your preferences. For example, the article may also mention portion control for chocolate intake, heightened risk of diabetes, weight gain, etc.
Fraudsters and con artists aim for specific emotional triggers and cognitive biases to exploit!
Here are some of the most common cognitive biases:
1. Power of Authority
People tend to comply with directives or instructions if they come from an 'authority' figure like a police officer or a C-suite-level executive.
Example: An employee receives an urgent email from a "CEO" instructing them to send funds to a new account to secure a business deal. Believing the sender's authority, the employee complies without verifying the request.
2. Reciprocity
According to the principle of reciprocity, people feel obligated to return favors or kindnesses.
Example: A fraudster offers something beneficial, such as technical support or insider information, in exchange for the victim's personal or financial information. (Also known as Quid pro quo scams)
3. Fear and Urgency
The emotional upheaval caused by fear or urgency can impair the victim's ability to think clearly or make rational decisions.
Example: A text from an unfamiliar number claiming to be a close relative says they have been in an accident and need urgent financial help.
4. Social Proof
In uncertain situations, people look for the actions or approvals of others in similar scenarios.
Example: A group chat has members who share screenshots of successfully receiving remarkable gains from their investments. These members are part of the fraud orchestrator's team.
5. Scarcity Bias
This is the perception that the value of something increases if it is known to be limited in its supply or if it is a rare occurrence.
Example: A phishing email that claims a free international trip, a high-end phone, or large amounts of cash, but the offer expires in 20 minutes.
6. Overconfidence Bias
This bias makes individuals overestimate their ability to make accurate judgments and decisions. They often ignore potential risks because of their confidence in discerning legitimate opportunities from scams.
Example: A high-level executive falls for a sophisticated spear-phishing attack tailored to their expertise and interests.
What is the most effective way to detect and stop social engineering attacks?
You must understand that social engineering tactics do not employ simple viruses or account takeovers. In most instances, the owner of the financial asset voluntarily gives out the information to fraudsters or completes their financial requests.
This means:
- Most traditional defenses would let these happen since it is the supposed “owner” who is approving transactions
- Firewalls and other technological defenses are only good against other technical threats and unauthorized access
- Social engineering attacks can be gradual, with attackers slowly building trust and manipulating the victim over time. This gradual manipulation can be subtle, making it harder to identify a single moment of compromise or unusual activity.
- Because the genuine user carries out the attacker's instructions, there are often no obvious technical anomalies, such as unfamiliar IP addresses or unusual login times.
Considering the scale and complexity of this challenge, only one solution can truly provide a holistic defense. Effective measures can also disrupt the integration stage of money laundering, where illicit funds are reintroduced into the economy as seemingly legitimate money.
The most effective way to detect and stop social engineering attacks would have to operate at two levels:
1. At the device integrity level
This would include using device intelligence to identify and detect anomalies in the device being used to complete a transaction some text
- Monitoring the presence of screen sharing or phone calls during OTP submissions
- Detecting the presence of emulators, VPNs
- Identifying signs of device tampering, rooting, or resets
2. At a device interaction level
This would include using behavioral biometrics to identify abnormal behavior in the user’s usage patterns when interacting with a financial transaction. some text
- Continuously monitoring user behavior to detect deviations that may indicate fraudulent activity.
- Monitoring signals like typing speed, typing speed, mouse movements, navigation habits, and touchscreen interactions.
At Bureau, we offer a 3x reduction in false positives and a 3x increase in fraud detection with our Device intelligence and behavioral biometrics solution. Talk to us to know how we can tailor our solutions to benefit your business model.
Schedule a free consultation with us here.